US8935523B1 - Cryptographic protected communication system with multiplexed cryptographic cryptopipe modules - Google Patents
Cryptographic protected communication system with multiplexed cryptographic cryptopipe modules Download PDFInfo
- Publication number
- US8935523B1 US8935523B1 US13/710,606 US201213710606A US8935523B1 US 8935523 B1 US8935523 B1 US 8935523B1 US 201213710606 A US201213710606 A US 201213710606A US 8935523 B1 US8935523 B1 US 8935523B1
- Authority
- US
- United States
- Prior art keywords
- cryptographic
- computer instructions
- band
- physical
- communication system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
-
- H04L9/28—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/14—Multichannel or multilink protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/25—Pc structure of the system
- G05B2219/25205—Encrypt communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Definitions
- the present embodiments relate to an auditable cryptographic communication system which provides security between an enterprise server and industrial devices while allowing continuous configuration and reconfiguration online, with continual monitoring that provides updates without shutting off the industrial devices, without shutting off the security system, and without shutting off the enterprise server.
- FIG. 1 depicts an overview of an auditable cryptographic communication system.
- FIG. 2 depicts a diagram of an enterprise data storage usable in the auditable cryptographic communication system.
- FIG. 3 depicts components of a cryptographic manager tool usable in the system of FIG. 1 .
- FIG. 4 depicts a diagram of a first virtual cryptographic module usable in the cryptographic communication system of FIG. 1
- FIG. 5 depicts a diagram of a physical cryptographic module usable in the auditable cryptographic communication system.
- FIG. 6 depicts a diagram of a tamper detection means usable in the cryptographic communication system.
- the present embodiments relate to a cryptographic communication system, which can provide security between an enterprise server and one or more industrial devices while allowing continuous configuration and reconfiguration online of the industrial devices with continual monitoring of the industrial device using a multiplexed cryptographic pipe.
- the cryptographic communication system can provide updates very often, such as, in less than 25 seconds, without shutting off all of the industrial devices of the cryptographic communication system and without shutting off a security system of the cryptographic communication system, and/or an enterprise server connected to the cryptographic communication system.
- out-of-band for the enterprise server can refer to bidirectional messaging from the enterprise server to components of the cryptographic communication system which can provide security between an enterprise server and industrial devices, wherein the messaging flows through the multiplexed cryptographic pipe.
- Out-of-band messaging can include commands for implementing diagnostics, testing, performing maintenance, or executing the performance steps required for components of the cryptographic communication system.
- Out-of-band messaging does not include commands for maintenance and performance of the industrial device to which the cryptographic communication system is connected.
- Out-of-band messaging can also be used for communicating historical logs that document the performance of security measures, and for messaging information concerning the generation and distribution of cryptographic keys used for validations, key exchanges, and communication sessions by the cryptographic communication system.
- in-band can refer to bidirectional communication between the enterprise server and one or more connected industrial devices through the multiplexed cryptographic pipe the messaging protocol of each industrial device.
- out-of-band for the cryptographic manager tool can refer to messaging from the cryptographic manager tool to a plurality of physical cryptographic modules of the cryptographic communication system.
- cryptographic messaging can refer to both “in-band” and “out-of-band” messaging that can also include telemetry, which is encrypted between the virtual cryptographic module of the cryptographic manager tool and one or more of the plurality of physical cryptographic modules connected on the network.
- cryptographic time outs can refer to periods of time, known in the industry as “cryptographic periods,” that have been pre-established and stored in the cryptographic manager tool. They can include cryptographic manager tool settings that have been preset by a user based on best practice recommendations from cyber security authorities, such as the US government's National Institute of Standards and Technology (NIST) and corporate security policies, for encrypting information from one or more of a plurality of industrial devices based on the type of industrial device, the type of information being transmitted and/or received, and the level of terrorism or hacking that the industrial device generally experiences.
- NIST National Institute of Standards and Technology
- the cryptographic communication system can provide authentication or cryptographic keys.
- Conventionally, the generation of authentication keys or cryptographic keys has been time intensive for central processing units. The cost in performance needed to be balanced against the cost in security. Users have had to balance the time required to generate cryptographic keys against the need for cryptographic keys in communication.
- the cryptographic communication system can enable the user to choose a more frequent key generation or a less frequent key generation depending on best practices, NIST standards, and/or corporate security policies while passing the communication through the multiplexed cryptographic pipe.
- the cryptographic communication system can help the American economy stay operational in view of hacking attacks by controlling messaging flow through a multiplexed cryptographic pipe.
- computing cloud is an industry term and generally refers to a hosted group of servers including processors and data storage which provide a service to the auditable cryptographic protected communication system, but are not owned by the entity controlling the system.
- uncontrolled can mean that the network is not within the control of the owner of the enterprise server or the owner of one or more of the industrial devices.
- the enterprise server owner can also be the industrial device owner.
- An uncontrolled network can be unsecured and/or unencrypted.
- the cryptographic communication system allows keys to be generated for critical information needed by the user and for other information as designated by the operator of the system, allowing a very fast but very secure encryption/decryption system to operate through the multiplexed cryptographic pipe between industrial devices and enterprise servers over a plurality of uncontrolled networks, simultaneously, sequentially, or combinations thereof.
- the cryptographic communication system can allow a user to decide how much time the system spends generating keys, in view of the cost of having greater or lesser security, by allowing the user to select cryptographic time outs.
- the system is an auditable cryptographic protected communication system for connecting an enterprise server to a plurality of industrial devices using the messaging protocol of each industrial device.
- the enterprise server can transmit commands and receive status and measurement data over a network using communications divided between in-band and out-of-band communications.
- Each enterprise server can have at least one enterprise processor in communication with an enterprise data storage.
- Each enterprise server communicates to a plurality of industrial devices simultaneously connected to the network using in-band messages via a multiplexed cryptopipe that contains multiple cryptopipes, each individual cryptopipe capable of transmitting and receiving in-band messaging.
- the auditable cryptographic protected communication system can connect an enterprise server to a plurality of industrial devices using a network.
- the auditable cryptographic protected communication system can use one or more enterprise servers.
- Each enterprise server of the system can be located in a computing cloud or outside of a computing cloud.
- Each industrial device can receive commands and transmit status and measurement data in its own unique messaging protocol through a multiplexed cryptopipe allowing multiple devices to transmit data simultaneously, and allowing a single device to perform at least three different activities simultaneously with other devices, allowing continuous operation of the system 24 hours a day, 7 days a week, without the need to shut down the entire system for reconfiguration of a single industrial device or because of a cryout, call out, or exception report produced by a single industrial device.
- the multiple industrial devices can be automated flow controllers, sensors connected to oil pipelines, sensors on oil rigs, or other types of meters, can transmit each piece of data into different cryptopipes in a multiplexed cryptopipe for ultimate safe secure transmission of in-band messaging.
- the enterprise data storage can include computer instructions to form a plurality of virtual cryptographic modules.
- Each of the plurality of virtual cryptographic modules can include computer instructions to receive in-band plain text status and measurement data in the messaging protocol of the industrial device from the physical cryptographic module; computer instructions to transmit in-band decrypted commands to the physical cryptographic module; computer instructions to transmit out-of-band plain text status and measurement data or encrypted messaging to the physical cryptographic module; computer instructions to receive out-of-band encrypted or plain text status and measurement data or encrypted messaging from the physical cryptographic module; and computer instructions to receive encrypted out-of-band log data on performance of the physical cryptographic modules.
- the virtual cryptographic modules can include computer instructions to generate cryptographic keys by the virtual cryptographic module, using a member of the group comprising: an event wherein security is uncertain, an event wherein security is compromised, a cryptographic time out, or combinations thereof.
- the enterprise data storage can include computer instructions to form a multiplexed cryptopipe, as well as the formed multiplexed cryptopipe and computer instructions to use the multiplexed cryptopipe to communicate between the plurality of virtual cryptographic modules and the plurality of industrial devices via individual physical cryptographic modules simultaneously.
- the enterprise data storage can also include computer instructions to monitor, configure and reconfigure online and on demand, continuously, multiplexed cryptographic pipe; computer instructions to monitor, configure, reconfigure online and on demand, continuously, the plurality of physical cryptographic modules, simultaneously; and computer instructions to monitor, configure, reconfigure online and on demand, continuously, the plurality of virtual cryptographic modules simultaneously.
- the enterprise data storage can include a library of virtual cryptographic module settings; and a library of physical cryptographic module settings.
- the library of virtual cryptographic module settings can include a member of the group consisting of: a pipe local IP address, pipe time outs, a pipe remote IP address, a pipe buffer size, a pipe listen IP address, a local port, a remote port, a pipe protocol, a pipe auto-enable, and combinations thereof.
- the library of physical cryptographic modules can include a member of the group consisting of: a tag, a mac address, a lock status, a host port, a device port, closed connection time outs, inter-character time outs, a graphic user ID (GUID), a date created, a date last synched, a number of synchronization, a serial number, a status flag, a status string, a note, and combinations thereof.
- GUID graphic user ID
- the auditable communication system can include a plurality of physical cryptographic modules. Each physical cryptographic module can connect to one of the industrial devices.
- Each physical cryptographic module can have a physical cryptographic module processor and a physical cryptographic module data storage connected to the physical cryptographic module processor.
- Each physical cryptographic module data storage can include computer instructions to receive in-band plain text status and measurement data in the messaging protocol of the industrial device from the industrial device; computer instructions to transmit in-band decrypted commands to the industrial device, in communication therewith; computer instructions for receiving encrypted messaging in-band from the enterprise server; and computer instructions for transmitting encrypted messaging in-band to the enterprise server from the physical cryptographic module.
- Each physical cryptographic module data storage can include computer instructions to receive out-of-band plain text status and measurement data or encrypted messaging from the enterprise server to the physical cryptographic module; computer instructions to transmit out-of-band plain text status and measurement data or encrypted messaging to the enterprise server; computer instructions to transmit encrypted out-of-band log data on performance of the physical cryptographic module; and computer instructions to generate cryptographic keys for: digital signatures in authentication certificates; cryptographic key exchanges; and cryptographic communication sessions between the plurality of physical cryptographic modules and the enterprise server without human intervention.
- Each of the physical cryptographic modules can communicate between one of the enterprise servers and one of the industrial devices using in-band messages and a messaging protocol of each industrial device, and communicates out-of-band messages between at least one of the enterprise servers to each physical cryptographic module without shutting down the auditable communication system and while creating logs and a history of events related to the communication system, including tracking of data, cryouts, call outs, exception reports, online configuration and online reconfiguration, all in a secure, encrypted environment.
- the enterprise data storage can further comprise computer instructions to form a plurality of cryptopipes as components of the multiplexed cryptopipe.
- Each cryptopipe can communicate between a physical cryptographic module and the enterprise server.
- the device communication from the industrial device can be a cryout, a callout, an exception report, an unsolicited message, or combinations thereof.
- the enterprise data storage can further include computer instructions to manage the multiplexed cryptopipe in real time 24 hours a day, 7 days a week performing multiplexed and demultiplexed communications between the enterprise server the virtual cryptographic module.
- the physical cryptographic module can further include computer instructions to manage the multiplexed cryptopipe in real time 24 hours a day, 7 days a week performing multiplexed and demultiplexed communications between the enterprise server and the virtual cryptographic module.
- the enterprise data storage can include computer instructions to present the status and errors related to the multiplexed cryptopipe in real time 24 hours a day, 7 days a week tracking the multiplexed communication, demultiplexed communication, and combinations thereof; between the enterprise server and the physical cryptographic module as an executive dashboard viewable by a user.
- the auditable cryptographic protected communication system can include a security enclosure around each physical cryptographic module with connected industrial device creating a tamperproof environment.
- a tamper detection means can connect or be in communication to one or more security enclosures.
- the tamper detection means can include a sensor, a processor connected to the sensor and a tamper detection data storage connected to the processor, containing computer instructions that detect when the security enclosure is opened; computer instructions that provide an audible alarm when the security enclosure is open; computer instructions that indicate the security enclosure is open; computer instructions that provide a visual alarm when the security enclosure is open; computer instructions that active a digital alarm and notification system when the security enclosure is open, and further provide provides a message to a user via a network.
- the enterprise data storage can include a library of cryptographic module protocols for out-of-band communication with the cryptographic manager tool.
- the host port of the system can be an RS232 port, an RS485 port, an RS422 port, an Ethernet port, a TCPIP port, or a mesh radio network port.
- the device port can be an RS232 port, an RS485 port, an RS422 port, an Ethernet port, a TCPIP port, or a mesh radio network port.
- the out-of-band encrypted log information with status and measurement data from the physical cryptographic module can simultaneously include information that indicates performance and a breach of security.
- the enterprise server can communicate simultaneously, consecutively, or combinations thereof with the plurality of industrial devices over a plurality of different networks, from a computing cloud, or combinations thereof.
- the plurality of different networks can simultaneously, consecutively, or combinations thereof be comprised of a radio/cellular network, a worldwide network, satellite network, a corporate network, and a local area control network.
- FIG. 1 depicts an auditable cryptographic protected communication system 10 .
- the auditable cryptographic protected communication system 10 can include a first enterprise server 12 , a second enterprise server 45 , and a third enterprise server 15 .
- the second enterprise server 45 can be in a computing cloud 18 .
- the auditable cryptographic protected communication system 10 can include one or more security enclosures, such as a first security enclosure 31 a , a second security enclosure 31 b , a third security enclosure 31 c , a fourth security enclosure 31 d , and a fifth security enclosure 31 e.
- the first security enclosure 31 a can contain a first physical cryptographic module 20 a , a first input/output port 178 a , and a first industrial device 21 a .
- the first input/output port 178 a can provide communication between the first physical cryptographic module 20 a and the first industrial device 21 a.
- the second security enclosure 31 b can contain a second physical cryptographic module 20 b , a second input/output port 178 b , and a second industrial device 21 b .
- the second input/output port 178 b can provide communication between the second physical cryptographic module 20 b and the second industrial device 21 b.
- the third security enclosure 31 c can contain a third physical cryptographic module 20 c , a third input/output port 178 c , and a third industrial device 21 c .
- the third input/output port 178 c can provide communication between the third physical cryptographic module 20 c and the third industrial device 21 c.
- the fourth security enclosure 31 d can contain a fourth physical cryptographic module 20 d , a fourth input/output port 178 d , and a fourth industrial device 21 d .
- the fourth input/output port 178 d can provide communication between the fourth physical cryptographic module 20 d and the fourth industrial device 21 d.
- the fifth security enclosure 31 e can contain a fifth physical cryptographic module 20 e , a fifth input/output port 178 e , and a fifth industrial device 21 e .
- the fifth input/output port 178 e can provide communication between the fifth physical cryptographic module 20 e and the fifth industrial device 21 e.
- the first industrial device 21 a , the second industrial device 21 b , third industrial device 21 c , fourth industrial device 21 d , and fifth industrial device 21 e can communicate with a network 22 using a multiplexed cryptopipe 29 .
- the first enterprise server 12 , the second enterprise server 45 , and the third enterprise server 15 can also be in communication with the network 22 .
- the auditable cryptographic protected communication system 10 can enable one or more enterprise servers, such as the first enterprise server 12 , the second enterprise server 45 , and the third enterprise server 15 , to receive in-band and out-of-band communications in a special order, as well as to receive messaging from the industrial devices that logs communication events from the industrial devices and for the overall system.
- enterprise servers such as the first enterprise server 12 , the second enterprise server 45 , and the third enterprise server 15 .
- the first enterprise server 12 can have a first enterprise processor 14 and a first enterprise data storage 16 that can be used for storing a first cryptographic manager tool 42 a.
- the second enterprise server 45 can have a second enterprise processor 46 and a second enterprise data storage 44 that can be used for storing a second cryptographic manager tool 42 b.
- the third enterprise server 15 can have a third enterprise processor 19 and a third enterprise data storage 17 that can be used for storing a third cryptographic manager tool 42 c.
- the first enterprise server 12 , the second enterprise server 45 , and the third enterprise server 15 can be connected via a network 22 .
- the network 22 can be the internet, a satellite network, a cellular network, a local area network, a wide area network, a similar network, or combinations thereof.
- the first enterprise server 12 , the second enterprise server 45 , and the third enterprise server 15 , or combinations thereof can communicate using in-band and out-of-band messages to one or more physical cryptographic modules of a plurality of physical cryptographic modules, such as a first physical cryptographic module 20 a , a second physical cryptographic module 20 b , a third physical cryptographic module 20 c , a fourth physical cryptographic module 20 d , and a fifth physical cryptographic module 20 e using the multiplexed cryptopipe 29 .
- multiplexed cryptopipe refers to an encrypted messaging pipeline that contains multiple cryptopipes.
- cryptographic pipe can refer to a virtual pipe connecting the physical cryptographic module to the enterprise server and can refer to software programs with unique computer instructions and combinations thereof.
- Each physical cryptographic module can have a physical cryptographic module processor that can be connected to a physical cryptographic module data storage.
- the first physical cryptographic module 20 a can be in direction communication with the first industrial device 21 a
- the second physical cryptographic module 20 b can be in direct communication with the second industrial device 21 b
- the third physical cryptographic module 20 c can be in direct communication with the third industrial device 21 c
- the fourth physical cryptographic module 20 d can be in direct communication with the fourth industrial device 21 d
- the fifth physical cryptographic module 20 e can be in direct communication with the fifth industrial device 21 e.
- the first enterprise server 12 can transmit commands to all the industrial devices 21 a , 21 b , 21 c , 21 d , and 21 e simultaneously or in sequence using the respective messaging protocols of each individual industrial device 21 a - 21 e using the first cryptographic manager tool 42 a.
- the industrial devices 21 a - 21 e can receive commands simultaneously in the unique messaging protocols of each of the individual industrial devices and each industrial device could have a different messaging protocol.
- a special feature of the communication system is that a first industrial device 21 a can have a first messaging protocol, and a second industrial device 21 b can have a second messaging protocol, yet the industrial devices 21 a and 21 b can transmit status and measurement data in unique messaging protocols over one or more networks 22 to the enterprise server securely through the multiplexed cryptopipe simultaneously for secure encrypted communication that a terrorist cannot hack, safeguarding American pipelines from terrorism.
- the network 22 can be dissimilar networks, similar networks, or combinations thereof.
- the network 22 can be an uncontrolled network.
- the third physical cryptographic module 20 c is shown with a third input/output port 178 c
- the fourth physical cryptographic module is shown with a fourth input/output port 178 d
- the fifth physical cryptographic module is shown with a fifth input/output port 178 e.
- the physical cryptographic modules can have any number of input/output ports.
- security enclosure 31 e is shown in communication with a tamper detection means 74 .
- FIG. 2 depicts the computer instructions in the first enterprise data storage, which can be located and/or spread over several enterprise data storages simultaneously in different embodiments.
- the first cryptographic manager tool 42 a is shown located in the first enterprise data storage 16 , which is located in the first enterprise processor 14 , which is located in the first enterprise server 12 .
- the first cryptographic manager tool 42 a can handle up to 2,000 industrial devices simultaneously.
- the first enterprise data storage 16 can include computer instructions 27 to form a multiplexed cryptopipe.
- the first enterprise data storage 16 can include computer instructions 33 to use the multiplexed cryptopipe to communicate between a plurality of virtual cryptographic modules and a plurality of industrial devices simultaneously.
- the first enterprise data storage 16 can include computer instructions 54 to monitor, configure, and reconfigure online and on demand, continuously, a multiplexed cryptographic pipe.
- the first enterprise data storage 16 can include computer instructions 56 to monitor, configure, and reconfigure online and on demand, continuously, a plurality of physical cryptographic modules simultaneously.
- the first enterprise data storage 16 can include computer instructions 58 to monitor, configure, and reconfigure online and on demand, continuously, a plurality of virtual cryptographic modules simultaneously.
- the first enterprise data storage 16 can include the library of virtual cryptographic module settings 60 , which can include, but is not limited to: a pipe local IP address, a pipe time out, a pipe remote IP address, a pipe buffer size, a pipe listen IP address, a local port, a remote port, a pipe protocol, a pipe auto-enable, and multiples or combinations thereof.
- the first enterprise data storage 16 can include the library of physical cryptographic module settings 62 , which can include, but is not limited to: a tag; a mac address; a lock status, such as a memory lock; a host port; a device port; and combinations of these settings.
- the host port can be an RS232 port, an RS485 port, an RS422 port, an Ethernet port, a TCPIP port, a mesh radio network, and combinations thereof.
- the device port can have the same kinds of ports as the host port.
- the library of physical cryptographic module settings can be in the enterprise server, and can also include, but is not limited to: a closed connection time out, inter-character time outs, a graphic user ID (GUID), a date created, a date last synched, a number of synchronization, a serial number, a status flag, a status string, notes, and combinations thereof.
- GUID graphic user ID
- the first enterprise data storage 16 can include computer instructions 89 to form a plurality of cryptopipes as components of the multiplexed cryptopipe, wherein each cryptopipe communicates between a physical cryptographic module and an enterprise server.
- the first enterprise data storage 16 can include computer instructions 66 to manage the multiplexed cryptopipe in real time, 24 hours a day, 7 days a week, performing multiplexed and demultiplexed communications between an enterprise server and a virtual cryptographic module.
- the first enterprise data storage 16 can include computer instructions 70 to present the status and errors related to the multiplexed cryptopipe in real time 24 hours a day, 7 days a week tracking the multiplexed communication, demultiplexed communication, and combinations thereof between an enterprise server and a physical cryptographic module as an executive dashboard viewable by a user.
- the first enterprise data storage 16 can include a library of cryptographic module protocols 176 for out-of-band communication with the cryptographic manager tool.
- the first enterprise data storage 16 can include computer instructions 116 to generate cryptographic keys for digital signatures in authentication certificates, cryptographic key exchanges, and cryptographic communication sessions between the plurality of physical cryptographic modules and the enterprise server without human intervention.
- FIG. 3 depicts a diagram of the first cryptographic manager tool.
- the first cryptographic manager tool 42 a can have computer instructions 39 to form a plurality of virtual cryptographic modules.
- the first cryptographic manager tool 42 a can also have a first virtual cryptographic module 38 a , a second virtual cryptographic module 38 b , and a third virtual cryptographic module 38 c.
- any number of virtual cryptographic modules can be used.
- FIG. 4 provides a diagram of a virtual cryptographic module.
- the first virtual cryptographic module 38 a can include computer instructions 64 to generate cryptographic keys by the virtual cryptographic module, using a member of the group comprising: an event wherein security is uncertain; an event wherein security is compromised; a cryptographic time outs; or combinations thereof.
- the first virtual cryptographic module 38 a can include computer instructions 200 to receive in-band plain text status and measurement data in the messaging protocol of at least one industrial device from a physical cryptographic module.
- the first virtual cryptographic module 38 a can include computer instructions 202 to transmit in-band decrypted commands to a physical cryptographic module.
- the first virtual cryptographic module 38 a can include computer instructions 204 to transmit out-of-band plain text status and measurement data or encrypted messaging to a physical cryptographic module.
- the first virtual cryptographic module 38 a can include computer instructions 206 to receive out-of-band encrypted or plain text status and measurement data or encrypted messaging from a physical cryptographic module.
- the first virtual cryptographic module 38 a can include computer instructions 210 to receive encrypted out-of-band performance log on performance of the physical cryptographic modules, to copy the encrypted out-of-band performance log forming an additional encrypted out-of-band performance log, to pass one encrypted out-of-band performance log through the enterprise server to form a tamper resistant performance log, and to decrypt the other encrypted out-of-band performance log.
- the first virtual cryptographic module 38 a can also include computer instructions 814 for copying the received in-band encrypted logs forming additional received in-band encrypted logs, and for passing one of the received in-band encrypted logs through the enterprise server forming tamper resistant received in-band encrypted logs, and for decrypting the other received in-band encrypted logs.
- FIG. 5 shows a diagram of the first physical cryptographic module.
- the first physical cryptographic module 20 a can have a first physical cryptographic module processor 24 a that can connect to a first physical cryptographic module data storage 26 a.
- Each physical cryptographic module previously described can have a physical cryptographic module processor that can be connected to a physical cryptographic module data storage.
- the first physical cryptographic module 20 a can include computer instructions 100 to receive in-band plain text status and measurement data in the messaging protocol of an industrial device from an industrial device.
- the first physical cryptographic module 20 a can include computer instructions 102 to transmit in-band decrypted commands to an industrial device, in communication therewith.
- the first physical cryptographic module 20 a can include computer instructions 104 for receiving encrypted messaging in-band from the enterprise server.
- the first physical cryptographic module 20 a can include computer instructions 105 for transmitting encrypted messaging in-band to an enterprise server from the physical cryptographic module.
- the first physical cryptographic module 20 a can include computer instructions 106 to receive out-of-band plain text status and measurement data or encrypted messaging from an enterprise server to the physical cryptographic module.
- the first physical cryptographic module 20 a can include computer instructions 108 to transmit out-of-band plain text status and measurement data or encrypted messaging to an enterprise server.
- the first physical cryptographic module 20 a can include computer instructions 110 to transmit encrypted out-of-band log data on performance of the physical cryptographic module.
- the first physical cryptographic module 20 a can include computer instructions 112 to generate cryptographic keys.
- the first physical cryptographic module 20 a can include computer instructions 68 to manage the multiplexed cryptopipe in real time, 24 hours a day, 7 days a week performing multiplexed and demultiplexed communications between an enterprise server and the virtual cryptographic module.
- the physical cryptographic modules can provide a communication path allowing for the industrial devices to communicate through in-band and/or out-of-band messages with the additional enterprise servers simultaneously.
- an in-band plain text message from the first physical cryptographic module to an industrial device can be a command to send status and measurement data.
- an in-band decrypted command to an industrial device which is decrypted by the first physical cryptographic module can be a command that opens a certain valve.
- the physical cryptographic module data storage computer instructions to generate keys creates keys for digital signatures in authentication certificates, cryptographic key exchanges, and cryptographic communication sessions between the plurality of physical cryptographic modules and the enterprise server without human intervention.
- An example of a cryptographic key can be a public key to decrypt a digital signature on an authentication certificate.
- the first physical cryptographic module data storage 26 a can include computer instructions 810 for receiving and encrypting in-band plain text logs from an industrial device forming received in-band encrypted logs.
- the first physical cryptographic module data storage 26 a can include computer instructions 812 for transmitting the received in-band encrypted logs to the enterprise server.
- FIG. 6 depicts a diagram of a tamper detection means.
- the tamper detection means 74 can include a sensor 75 that can be connected to one of the security enclosures.
- the sensor 75 can connect or be in communication with a tamper detection means processor 76 .
- the tamper detection means processor 76 can have tamper detection means data storage 77 that can contain computer instructions to communicate one of a variety of messages as mentioned earlier to a user, including but not limited to an audio alarm, a visual alarm and activation of an alarm notification system which can notify a user, such as by an email or text a message directly to a client device of a user.
- the tamper detection means data storage 77 can include computer instructions 300 that detect when the security enclosure is opened.
- the tamper detection means data storage 77 can include computer instructions 301 that provide an audible alarm when the security enclosure is detected as being open.
- the tamper detection means data storage 77 can include computer instructions 302 to provide a visual alarm when the security enclosure is detected as being open.
- the tamper detection means data storage 77 can include computer instructions 303 to activate a digital alarm and notification system that provides a message to a user via a network when the security enclosure is detected as being open.
Abstract
An auditable cryptographic protected communication system for connecting an enterprise server to a plurality of industrial devices using messaging protocols for each industrial device enabling the industrial devices to receive commands and transmit status and measurement data using the individual device messaging protocols over a network.
Description
The current application is a continuation in part of co-pending U.S. patent application Ser. No. 13/552,396 filed on Jul. 18, 2012, entitled “AUDITABLE CRYPTOGRAPHIC PROTECTED COMMUNICATION SYSTEM”. This reference is hereby incorporated in its entirety.
The present embodiments relate to an auditable cryptographic communication system which provides security between an enterprise server and industrial devices while allowing continuous configuration and reconfiguration online, with continual monitoring that provides updates without shutting off the industrial devices, without shutting off the security system, and without shutting off the enterprise server.
A need exists for a security system that can provide in-band communication to industrial devices from an enterprise server while allowing out-of-band communication between the enterprise server and the security devices, which include software termed “cryptographic manager tool,” and a hardware/software product termed “physical cryptographic module.”
A need exists for a high security communication system usable with a plurality of different networks simultaneously and/or consecutively, between an enterprise server and a plurality of industrial devices.
A need exists for a secure communication system that is auditable over many networks simultaneously, as the owner of an enterprise server or an industrial device may not control the intervening networks over which the communication may need to occur, which can include a radio/cellular network, the internet, a corporate network, and a local area control network consecutively or simultaneously.
A further need exists for a cryptographic communication system that provides security between an enterprise server and industrial devices, provides measurement and control data while the enterprise server continuously configures and reconfigures online one or more additional industrial devices, and allows continual monitoring without shutting off industrial devices, a security system, and/or an enterprise server.
The present embodiments meet these needs.
The detailed description will be better understood in conjunction with the accompanying drawings as follows:
The present embodiments are detailed below with reference to the listed Figures.
Before explaining the present system in detail, it is to be understood that the system is not limited to the particular embodiments and that they can be practiced or carried out in various ways.
The present embodiments relate to a cryptographic communication system, which can provide security between an enterprise server and one or more industrial devices while allowing continuous configuration and reconfiguration online of the industrial devices with continual monitoring of the industrial device using a multiplexed cryptographic pipe.
The cryptographic communication system can provide updates very often, such as, in less than 25 seconds, without shutting off all of the industrial devices of the cryptographic communication system and without shutting off a security system of the cryptographic communication system, and/or an enterprise server connected to the cryptographic communication system.
The term “out-of-band for the enterprise server” as used herein can refer to bidirectional messaging from the enterprise server to components of the cryptographic communication system which can provide security between an enterprise server and industrial devices, wherein the messaging flows through the multiplexed cryptographic pipe.
Out-of-band messaging can include commands for implementing diagnostics, testing, performing maintenance, or executing the performance steps required for components of the cryptographic communication system. Out-of-band messaging does not include commands for maintenance and performance of the industrial device to which the cryptographic communication system is connected. Out-of-band messaging can also be used for communicating historical logs that document the performance of security measures, and for messaging information concerning the generation and distribution of cryptographic keys used for validations, key exchanges, and communication sessions by the cryptographic communication system.
The term “in-band” as used herein can refer to bidirectional communication between the enterprise server and one or more connected industrial devices through the multiplexed cryptographic pipe the messaging protocol of each industrial device.
The term “out-of-band for the cryptographic manager tool” as used herein can refer to messaging from the cryptographic manager tool to a plurality of physical cryptographic modules of the cryptographic communication system.
The term “cryptographic messaging” can refer to both “in-band” and “out-of-band” messaging that can also include telemetry, which is encrypted between the virtual cryptographic module of the cryptographic manager tool and one or more of the plurality of physical cryptographic modules connected on the network.
The term “cryptographic time outs” as used herein can refer to periods of time, known in the industry as “cryptographic periods,” that have been pre-established and stored in the cryptographic manager tool. They can include cryptographic manager tool settings that have been preset by a user based on best practice recommendations from cyber security authorities, such as the US government's National Institute of Standards and Technology (NIST) and corporate security policies, for encrypting information from one or more of a plurality of industrial devices based on the type of industrial device, the type of information being transmitted and/or received, and the level of terrorism or hacking that the industrial device generally experiences.
The cryptographic communication system can provide authentication or cryptographic keys. Conventionally, the generation of authentication keys or cryptographic keys has been time intensive for central processing units. The cost in performance needed to be balanced against the cost in security. Users have had to balance the time required to generate cryptographic keys against the need for cryptographic keys in communication.
The cryptographic communication system can enable the user to choose a more frequent key generation or a less frequent key generation depending on best practices, NIST standards, and/or corporate security policies while passing the communication through the multiplexed cryptographic pipe.
The cryptographic communication system can help the American economy stay operational in view of hacking attacks by controlling messaging flow through a multiplexed cryptographic pipe.
As used herein, the term “computing cloud” is an industry term and generally refers to a hosted group of servers including processors and data storage which provide a service to the auditable cryptographic protected communication system, but are not owned by the entity controlling the system.
The term “uncontrolled” as used herein can mean that the network is not within the control of the owner of the enterprise server or the owner of one or more of the industrial devices. In some cases, the enterprise server owner can also be the industrial device owner. An uncontrolled network can be unsecured and/or unencrypted.
The cryptographic communication system allows keys to be generated for critical information needed by the user and for other information as designated by the operator of the system, allowing a very fast but very secure encryption/decryption system to operate through the multiplexed cryptographic pipe between industrial devices and enterprise servers over a plurality of uncontrolled networks, simultaneously, sequentially, or combinations thereof.
The cryptographic communication system can allow a user to decide how much time the system spends generating keys, in view of the cost of having greater or lesser security, by allowing the user to select cryptographic time outs.
The system is an auditable cryptographic protected communication system for connecting an enterprise server to a plurality of industrial devices using the messaging protocol of each industrial device.
Using the messaging protocol of each industrial device, which can all be different, simultaneously, the enterprise server can transmit commands and receive status and measurement data over a network using communications divided between in-band and out-of-band communications.
Each enterprise server can have at least one enterprise processor in communication with an enterprise data storage. Each enterprise server communicates to a plurality of industrial devices simultaneously connected to the network using in-band messages via a multiplexed cryptopipe that contains multiple cryptopipes, each individual cryptopipe capable of transmitting and receiving in-band messaging.
The auditable cryptographic protected communication system can connect an enterprise server to a plurality of industrial devices using a network.
The auditable cryptographic protected communication system can use one or more enterprise servers.
Each enterprise server of the system can be located in a computing cloud or outside of a computing cloud.
Each industrial device can receive commands and transmit status and measurement data in its own unique messaging protocol through a multiplexed cryptopipe allowing multiple devices to transmit data simultaneously, and allowing a single device to perform at least three different activities simultaneously with other devices, allowing continuous operation of the system 24 hours a day, 7 days a week, without the need to shut down the entire system for reconfiguration of a single industrial device or because of a cryout, call out, or exception report produced by a single industrial device.
In one or more embodiments, the multiple industrial devices can be automated flow controllers, sensors connected to oil pipelines, sensors on oil rigs, or other types of meters, can transmit each piece of data into different cryptopipes in a multiplexed cryptopipe for ultimate safe secure transmission of in-band messaging.
The enterprise data storage can include computer instructions to form a plurality of virtual cryptographic modules.
Each of the plurality of virtual cryptographic modules can include computer instructions to receive in-band plain text status and measurement data in the messaging protocol of the industrial device from the physical cryptographic module; computer instructions to transmit in-band decrypted commands to the physical cryptographic module; computer instructions to transmit out-of-band plain text status and measurement data or encrypted messaging to the physical cryptographic module; computer instructions to receive out-of-band encrypted or plain text status and measurement data or encrypted messaging from the physical cryptographic module; and computer instructions to receive encrypted out-of-band log data on performance of the physical cryptographic modules.
Additionally, the virtual cryptographic modules can include computer instructions to generate cryptographic keys by the virtual cryptographic module, using a member of the group comprising: an event wherein security is uncertain, an event wherein security is compromised, a cryptographic time out, or combinations thereof.
In addition to the cryptographic manager tool that includes a virtual cryptographic module, the enterprise data storage can include computer instructions to form a multiplexed cryptopipe, as well as the formed multiplexed cryptopipe and computer instructions to use the multiplexed cryptopipe to communicate between the plurality of virtual cryptographic modules and the plurality of industrial devices via individual physical cryptographic modules simultaneously.
The enterprise data storage can also include computer instructions to monitor, configure and reconfigure online and on demand, continuously, multiplexed cryptographic pipe; computer instructions to monitor, configure, reconfigure online and on demand, continuously, the plurality of physical cryptographic modules, simultaneously; and computer instructions to monitor, configure, reconfigure online and on demand, continuously, the plurality of virtual cryptographic modules simultaneously.
The enterprise data storage can include a library of virtual cryptographic module settings; and a library of physical cryptographic module settings.
The library of virtual cryptographic module settings can include a member of the group consisting of: a pipe local IP address, pipe time outs, a pipe remote IP address, a pipe buffer size, a pipe listen IP address, a local port, a remote port, a pipe protocol, a pipe auto-enable, and combinations thereof.
The library of physical cryptographic modules can include a member of the group consisting of: a tag, a mac address, a lock status, a host port, a device port, closed connection time outs, inter-character time outs, a graphic user ID (GUID), a date created, a date last synched, a number of synchronization, a serial number, a status flag, a status string, a note, and combinations thereof.
The auditable communication system can include a plurality of physical cryptographic modules. Each physical cryptographic module can connect to one of the industrial devices.
Each physical cryptographic module can have a physical cryptographic module processor and a physical cryptographic module data storage connected to the physical cryptographic module processor.
Each physical cryptographic module data storage can include computer instructions to receive in-band plain text status and measurement data in the messaging protocol of the industrial device from the industrial device; computer instructions to transmit in-band decrypted commands to the industrial device, in communication therewith; computer instructions for receiving encrypted messaging in-band from the enterprise server; and computer instructions for transmitting encrypted messaging in-band to the enterprise server from the physical cryptographic module.
Each physical cryptographic module data storage can include computer instructions to receive out-of-band plain text status and measurement data or encrypted messaging from the enterprise server to the physical cryptographic module; computer instructions to transmit out-of-band plain text status and measurement data or encrypted messaging to the enterprise server; computer instructions to transmit encrypted out-of-band log data on performance of the physical cryptographic module; and computer instructions to generate cryptographic keys for: digital signatures in authentication certificates; cryptographic key exchanges; and cryptographic communication sessions between the plurality of physical cryptographic modules and the enterprise server without human intervention.
Each of the physical cryptographic modules can communicate between one of the enterprise servers and one of the industrial devices using in-band messages and a messaging protocol of each industrial device, and communicates out-of-band messages between at least one of the enterprise servers to each physical cryptographic module without shutting down the auditable communication system and while creating logs and a history of events related to the communication system, including tracking of data, cryouts, call outs, exception reports, online configuration and online reconfiguration, all in a secure, encrypted environment.
The enterprise data storage can further comprise computer instructions to form a plurality of cryptopipes as components of the multiplexed cryptopipe.
Each cryptopipe can communicate between a physical cryptographic module and the enterprise server.
In embodiments, the device communication from the industrial device can be a cryout, a callout, an exception report, an unsolicited message, or combinations thereof.
In embodiments, the enterprise data storage can further include computer instructions to manage the multiplexed cryptopipe in real time 24 hours a day, 7 days a week performing multiplexed and demultiplexed communications between the enterprise server the virtual cryptographic module.
In embodiments, the physical cryptographic module can further include computer instructions to manage the multiplexed cryptopipe in real time 24 hours a day, 7 days a week performing multiplexed and demultiplexed communications between the enterprise server and the virtual cryptographic module.
In embodiments, the enterprise data storage can include computer instructions to present the status and errors related to the multiplexed cryptopipe in real time 24 hours a day, 7 days a week tracking the multiplexed communication, demultiplexed communication, and combinations thereof; between the enterprise server and the physical cryptographic module as an executive dashboard viewable by a user.
In embodiments, the auditable cryptographic protected communication system can include a security enclosure around each physical cryptographic module with connected industrial device creating a tamperproof environment.
In embodiments, a tamper detection means can connect or be in communication to one or more security enclosures.
The tamper detection means can include a sensor, a processor connected to the sensor and a tamper detection data storage connected to the processor, containing computer instructions that detect when the security enclosure is opened; computer instructions that provide an audible alarm when the security enclosure is open; computer instructions that indicate the security enclosure is open; computer instructions that provide a visual alarm when the security enclosure is open; computer instructions that active a digital alarm and notification system when the security enclosure is open, and further provide provides a message to a user via a network.
In embodiments, a cryout can be defined to be an electronic messaging alarm, an activated automated phone call, an exception report, a text message, an email or combinations thereof.
In embodiments, the enterprise data storage can include a library of cryptographic module protocols for out-of-band communication with the cryptographic manager tool.
In embodiments, the host port of the system can be an RS232 port, an RS485 port, an RS422 port, an Ethernet port, a TCPIP port, or a mesh radio network port.
In embodiments, the device port can be an RS232 port, an RS485 port, an RS422 port, an Ethernet port, a TCPIP port, or a mesh radio network port.
In embodiments, the out-of-band encrypted log information with status and measurement data from the physical cryptographic module can simultaneously include information that indicates performance and a breach of security.
In embodiments, the enterprise server can communicate simultaneously, consecutively, or combinations thereof with the plurality of industrial devices over a plurality of different networks, from a computing cloud, or combinations thereof.
In embodiments, the plurality of different networks can simultaneously, consecutively, or combinations thereof be comprised of a radio/cellular network, a worldwide network, satellite network, a corporate network, and a local area control network.
Turning now to the Figures, FIG. 1 depicts an auditable cryptographic protected communication system 10.
The auditable cryptographic protected communication system 10 can include a first enterprise server 12, a second enterprise server 45, and a third enterprise server 15. The second enterprise server 45 can be in a computing cloud 18.
The auditable cryptographic protected communication system 10 can include one or more security enclosures, such as a first security enclosure 31 a, a second security enclosure 31 b, a third security enclosure 31 c, a fourth security enclosure 31 d, and a fifth security enclosure 31 e.
The first security enclosure 31 a can contain a first physical cryptographic module 20 a, a first input/output port 178 a, and a first industrial device 21 a. The first input/output port 178 a can provide communication between the first physical cryptographic module 20 a and the first industrial device 21 a.
The second security enclosure 31 b can contain a second physical cryptographic module 20 b, a second input/output port 178 b, and a second industrial device 21 b. The second input/output port 178 b can provide communication between the second physical cryptographic module 20 b and the second industrial device 21 b.
The third security enclosure 31 c can contain a third physical cryptographic module 20 c, a third input/output port 178 c, and a third industrial device 21 c. The third input/output port 178 c can provide communication between the third physical cryptographic module 20 c and the third industrial device 21 c.
The fourth security enclosure 31 d can contain a fourth physical cryptographic module 20 d, a fourth input/output port 178 d, and a fourth industrial device 21 d. The fourth input/output port 178 d can provide communication between the fourth physical cryptographic module 20 d and the fourth industrial device 21 d.
The fifth security enclosure 31 e can contain a fifth physical cryptographic module 20 e, a fifth input/output port 178 e, and a fifth industrial device 21 e. The fifth input/output port 178 e can provide communication between the fifth physical cryptographic module 20 e and the fifth industrial device 21 e.
The first industrial device 21 a, the second industrial device 21 b, third industrial device 21 c, fourth industrial device 21 d, and fifth industrial device 21 e can communicate with a network 22 using a multiplexed cryptopipe 29.
The first enterprise server 12, the second enterprise server 45, and the third enterprise server 15 can also be in communication with the network 22.
The auditable cryptographic protected communication system 10 can enable one or more enterprise servers, such as the first enterprise server 12, the second enterprise server 45, and the third enterprise server 15, to receive in-band and out-of-band communications in a special order, as well as to receive messaging from the industrial devices that logs communication events from the industrial devices and for the overall system.
The first enterprise server 12 can have a first enterprise processor 14 and a first enterprise data storage 16 that can be used for storing a first cryptographic manager tool 42 a.
The second enterprise server 45 can have a second enterprise processor 46 and a second enterprise data storage 44 that can be used for storing a second cryptographic manager tool 42 b.
The third enterprise server 15 can have a third enterprise processor 19 and a third enterprise data storage 17 that can be used for storing a third cryptographic manager tool 42 c.
The first enterprise server 12, the second enterprise server 45, and the third enterprise server 15 can be connected via a network 22. The network 22 can be the internet, a satellite network, a cellular network, a local area network, a wide area network, a similar network, or combinations thereof.
The first enterprise server 12, the second enterprise server 45, and the third enterprise server 15, or combinations thereof can communicate using in-band and out-of-band messages to one or more physical cryptographic modules of a plurality of physical cryptographic modules, such as a first physical cryptographic module 20 a, a second physical cryptographic module 20 b, a third physical cryptographic module 20 c, a fourth physical cryptographic module 20 d, and a fifth physical cryptographic module 20 e using the multiplexed cryptopipe 29.
The term “multiplexed cryptopipe” refers to an encrypted messaging pipeline that contains multiple cryptopipes.
The term “cryptographic pipe” as used herein can refer to a virtual pipe connecting the physical cryptographic module to the enterprise server and can refer to software programs with unique computer instructions and combinations thereof.
Each physical cryptographic module can have a physical cryptographic module processor that can be connected to a physical cryptographic module data storage.
The first physical cryptographic module 20 a can be in direction communication with the first industrial device 21 a, the second physical cryptographic module 20 b can be in direct communication with the second industrial device 21 b, the third physical cryptographic module 20 c can be in direct communication with the third industrial device 21 c, the fourth physical cryptographic module 20 d can be in direct communication with the fourth industrial device 21 d, and the fifth physical cryptographic module 20 e can be in direct communication with the fifth industrial device 21 e.
The first enterprise server 12 can transmit commands to all the industrial devices 21 a, 21 b, 21 c, 21 d, and 21 e simultaneously or in sequence using the respective messaging protocols of each individual industrial device 21 a-21 e using the first cryptographic manager tool 42 a.
The industrial devices 21 a-21 e can receive commands simultaneously in the unique messaging protocols of each of the individual industrial devices and each industrial device could have a different messaging protocol.
A special feature of the communication system is that a first industrial device 21 a can have a first messaging protocol, and a second industrial device 21 b can have a second messaging protocol, yet the industrial devices 21 a and 21 b can transmit status and measurement data in unique messaging protocols over one or more networks 22 to the enterprise server securely through the multiplexed cryptopipe simultaneously for secure encrypted communication that a terrorist cannot hack, safeguarding American pipelines from terrorism.
The network 22 can be dissimilar networks, similar networks, or combinations thereof. The network 22 can be an uncontrolled network.
The third physical cryptographic module 20 c is shown with a third input/output port 178 c, the fourth physical cryptographic module is shown with a fourth input/output port 178 d, and the fifth physical cryptographic module is shown with a fifth input/output port 178 e.
In one or more embodiments, the physical cryptographic modules can have any number of input/output ports.
In this embodiment, security enclosure 31 e is shown in communication with a tamper detection means 74.
The first cryptographic manager tool 42 a is shown located in the first enterprise data storage 16, which is located in the first enterprise processor 14, which is located in the first enterprise server 12.
The first cryptographic manager tool 42 a can handle up to 2,000 industrial devices simultaneously.
The first enterprise data storage 16 can include computer instructions 27 to form a multiplexed cryptopipe.
The first enterprise data storage 16 can include computer instructions 33 to use the multiplexed cryptopipe to communicate between a plurality of virtual cryptographic modules and a plurality of industrial devices simultaneously.
The first enterprise data storage 16 can include computer instructions 54 to monitor, configure, and reconfigure online and on demand, continuously, a multiplexed cryptographic pipe.
The first enterprise data storage 16 can include computer instructions 56 to monitor, configure, and reconfigure online and on demand, continuously, a plurality of physical cryptographic modules simultaneously.
The first enterprise data storage 16 can include computer instructions 58 to monitor, configure, and reconfigure online and on demand, continuously, a plurality of virtual cryptographic modules simultaneously.
The first enterprise data storage 16 can include the library of virtual cryptographic module settings 60, which can include, but is not limited to: a pipe local IP address, a pipe time out, a pipe remote IP address, a pipe buffer size, a pipe listen IP address, a local port, a remote port, a pipe protocol, a pipe auto-enable, and multiples or combinations thereof.
The first enterprise data storage 16 can include the library of physical cryptographic module settings 62, which can include, but is not limited to: a tag; a mac address; a lock status, such as a memory lock; a host port; a device port; and combinations of these settings. The host port can be an RS232 port, an RS485 port, an RS422 port, an Ethernet port, a TCPIP port, a mesh radio network, and combinations thereof. The device port can have the same kinds of ports as the host port.
The library of physical cryptographic module settings can be in the enterprise server, and can also include, but is not limited to: a closed connection time out, inter-character time outs, a graphic user ID (GUID), a date created, a date last synched, a number of synchronization, a serial number, a status flag, a status string, notes, and combinations thereof.
The first enterprise data storage 16 can include computer instructions 89 to form a plurality of cryptopipes as components of the multiplexed cryptopipe, wherein each cryptopipe communicates between a physical cryptographic module and an enterprise server.
The first enterprise data storage 16 can include computer instructions 66 to manage the multiplexed cryptopipe in real time, 24 hours a day, 7 days a week, performing multiplexed and demultiplexed communications between an enterprise server and a virtual cryptographic module.
The first enterprise data storage 16 can include computer instructions 70 to present the status and errors related to the multiplexed cryptopipe in real time 24 hours a day, 7 days a week tracking the multiplexed communication, demultiplexed communication, and combinations thereof between an enterprise server and a physical cryptographic module as an executive dashboard viewable by a user.
The first enterprise data storage 16 can include a library of cryptographic module protocols 176 for out-of-band communication with the cryptographic manager tool.
The first enterprise data storage 16 can include computer instructions 116 to generate cryptographic keys for digital signatures in authentication certificates, cryptographic key exchanges, and cryptographic communication sessions between the plurality of physical cryptographic modules and the enterprise server without human intervention.
The first cryptographic manager tool 42 a can have computer instructions 39 to form a plurality of virtual cryptographic modules.
In one or more embodiments, the first cryptographic manager tool 42 a can also have a first virtual cryptographic module 38 a, a second virtual cryptographic module 38 b, and a third virtual cryptographic module 38 c.
In one or more embodiments, any number of virtual cryptographic modules can be used.
The first virtual cryptographic module 38 a can include computer instructions 64 to generate cryptographic keys by the virtual cryptographic module, using a member of the group comprising: an event wherein security is uncertain; an event wherein security is compromised; a cryptographic time outs; or combinations thereof.
The first virtual cryptographic module 38 a can include computer instructions 200 to receive in-band plain text status and measurement data in the messaging protocol of at least one industrial device from a physical cryptographic module.
The first virtual cryptographic module 38 a can include computer instructions 202 to transmit in-band decrypted commands to a physical cryptographic module.
The first virtual cryptographic module 38 a can include computer instructions 204 to transmit out-of-band plain text status and measurement data or encrypted messaging to a physical cryptographic module.
The first virtual cryptographic module 38 a can include computer instructions 206 to receive out-of-band encrypted or plain text status and measurement data or encrypted messaging from a physical cryptographic module.
The first virtual cryptographic module 38 a can include computer instructions 210 to receive encrypted out-of-band performance log on performance of the physical cryptographic modules, to copy the encrypted out-of-band performance log forming an additional encrypted out-of-band performance log, to pass one encrypted out-of-band performance log through the enterprise server to form a tamper resistant performance log, and to decrypt the other encrypted out-of-band performance log.
The first virtual cryptographic module 38 a can also include computer instructions 814 for copying the received in-band encrypted logs forming additional received in-band encrypted logs, and for passing one of the received in-band encrypted logs through the enterprise server forming tamper resistant received in-band encrypted logs, and for decrypting the other received in-band encrypted logs.
The first physical cryptographic module 20 a can have a first physical cryptographic module processor 24 a that can connect to a first physical cryptographic module data storage 26 a.
Each physical cryptographic module previously described can have a physical cryptographic module processor that can be connected to a physical cryptographic module data storage.
The first physical cryptographic module 20 a can include computer instructions 100 to receive in-band plain text status and measurement data in the messaging protocol of an industrial device from an industrial device.
The first physical cryptographic module 20 a can include computer instructions 102 to transmit in-band decrypted commands to an industrial device, in communication therewith.
The first physical cryptographic module 20 a can include computer instructions 104 for receiving encrypted messaging in-band from the enterprise server.
The first physical cryptographic module 20 a can include computer instructions 105 for transmitting encrypted messaging in-band to an enterprise server from the physical cryptographic module.
The first physical cryptographic module 20 a can include computer instructions 106 to receive out-of-band plain text status and measurement data or encrypted messaging from an enterprise server to the physical cryptographic module.
The first physical cryptographic module 20 a can include computer instructions 108 to transmit out-of-band plain text status and measurement data or encrypted messaging to an enterprise server.
The first physical cryptographic module 20 a can include computer instructions 110 to transmit encrypted out-of-band log data on performance of the physical cryptographic module.
The first physical cryptographic module 20 a can include computer instructions 112 to generate cryptographic keys.
The first physical cryptographic module 20 a can include computer instructions 68 to manage the multiplexed cryptopipe in real time, 24 hours a day, 7 days a week performing multiplexed and demultiplexed communications between an enterprise server and the virtual cryptographic module.
The physical cryptographic modules can provide a communication path allowing for the industrial devices to communicate through in-band and/or out-of-band messages with the additional enterprise servers simultaneously.
As an example, an in-band plain text message from the first physical cryptographic module to an industrial device can be a command to send status and measurement data.
As an example of an in-band decrypted command to an industrial device which is decrypted by the first physical cryptographic module can be a command that opens a certain valve.
In an embodiment, the physical cryptographic module data storage computer instructions to generate keys creates keys for digital signatures in authentication certificates, cryptographic key exchanges, and cryptographic communication sessions between the plurality of physical cryptographic modules and the enterprise server without human intervention. An example of a cryptographic key can be a public key to decrypt a digital signature on an authentication certificate.
The first physical cryptographic module data storage 26 a can include computer instructions 810 for receiving and encrypting in-band plain text logs from an industrial device forming received in-band encrypted logs.
The first physical cryptographic module data storage 26 a can include computer instructions 812 for transmitting the received in-band encrypted logs to the enterprise server.
The tamper detection means 74 can include a sensor 75 that can be connected to one of the security enclosures. The sensor 75 can connect or be in communication with a tamper detection means processor 76.
The tamper detection means processor 76 can have tamper detection means data storage 77 that can contain computer instructions to communicate one of a variety of messages as mentioned earlier to a user, including but not limited to an audio alarm, a visual alarm and activation of an alarm notification system which can notify a user, such as by an email or text a message directly to a client device of a user.
The tamper detection means data storage 77 can include computer instructions 300 that detect when the security enclosure is opened.
The tamper detection means data storage 77 can include computer instructions 301 that provide an audible alarm when the security enclosure is detected as being open.
The tamper detection means data storage 77 can include computer instructions 302 to provide a visual alarm when the security enclosure is detected as being open.
The tamper detection means data storage 77 can include computer instructions 303 to activate a digital alarm and notification system that provides a message to a user via a network when the security enclosure is detected as being open.
While these embodiments have been described with emphasis on the embodiments, it should be understood that within the scope of the appended claims, the embodiments might be practiced other than as specifically described herein.
Claims (20)
1. An auditable cryptographic protected communication system for connecting an enterprise server to a plurality of industrial devices, each industrial device using at least one messaging protocol for each industrial device enabling the industrial devices to receive commands and transmit status and measurement data using the at least one messaging protocol for each industrial device over a network, wherein the auditable cryptographic protected communication system comprises:
a. at least one enterprise server having at least one enterprise processor and an enterprise data storage, wherein the at least one enterprise server communicates to a plurality of industrial devices connected to the network using in-band messages using a multiplexed cryptopipe;
b. computer instructions in the enterprise data storage comprising:
(i) a cryptographic manager tool in the enterprise data storage comprising:
1. computer instructions to form a plurality of virtual cryptographic modules;
2. a plurality of virtual cryptographic modules wherein each virtual cryptographic module comprises:
i. computer instructions to receive in-band plain text status and measurement data in the messaging protocol of the industrial device from the physical cryptographic module;
ii. computer instructions to transmit in-band decrypted commands to the physical cryptographic module;
iii. computer instructions to transmit out-of-band plain text status and measurement data or encrypted messaging to the physical cryptographic module;
iv. computer instructions to receive out-of-band encrypted or plain text status and measurement data or encrypted messaging from the physical cryptographic module;
v. computer instructions to receive encrypted out-of-band performance log on performance of the physical cryptographic modules, to copy the encrypted out-of-band performance log forming an additional encrypted out-of-band performance log, to pass one encrypted out-of-band performance log through the enterprise server to form a tamper resistant performance log, and to decrypt the other encrypted out-of-band performance log;
vi. computer instructions to generate cryptographic keys by the virtual cryptographic module, using a member of the group comprising: an event wherein security is uncertain; an event wherein security is compromised; a cryptographic time outs; or combinations thereof;
(ii) computer instructions to form a multiplexed cryptopipe;
(iii) a multiplexed cryptopipe;
(iv) computer instructions to use the multiplexed cryptopipe to communicate between the plurality of virtual cryptographic modules and the plurality of industrial devices simultaneously;
(v) computer instructions to monitor, configure and reconfigure online and on demand, continuously, multiplexed cryptographic pipe;
(vi) computer instructions to monitor, configure, reconfigure online and on demand, continuously, the plurality of physical cryptographic modules, simultaneously;
(vii) computer instructions to monitor, configure, reconfigure online and on demand, continuously, the plurality of virtual cryptographic modules simultaneously;
(viii) a library of virtual cryptographic module settings; and
(ix) a library of physical cryptographic module settings;
c. a plurality of physical cryptographic modules, wherein one of the physical cryptographic module connects to one of the industrial devices, and wherein, each physical cryptographic module comprises:
(i) a physical cryptographic module processor;
(ii) a physical cryptographic module data storage connected to the physical cryptographic module processor, wherein the physical cryptographic module data storage comprises:
1. computer instructions to receive in-band plain text status and measurement data in the messaging protocol of the industrial device from the industrial device;
2. computer instructions to transmit in-band decrypted commands to the industrial device, in communication therewith;
3. computer instructions for receiving encrypted messaging in-band from the enterprise server;
4. computer instructions for transmitting encrypted messaging in-band to the enterprise server from the physical cryptographic module;
5. computer instructions to receive out-of-band plain text status and measurement data or encrypted messaging from the enterprise server to the physical cryptographic module;
6. computer instructions to transmit out-of-band plain text status and measurement data or encrypted messaging to the enterprise server;
7. computer instructions to transmit encrypted out-of-band log data on performance of the physical cryptographic module; and
8. computer instructions to generate cryptographic keys for:
i. digital signatures in authentication certificates;
ii. cryptographic key exchanges; and
iii. cryptographic communication sessions between the plurality of physical cryptographic modules and the enterprise server without human intervention;
d. wherein each of the physical cryptographic modules communicates between one of the enterprise servers and one of the industrial devices using in-band messages and a messaging protocol of each industrial device, and communicates out-of-band messages between at least one of the enterprise servers to each physical cryptographic module.
2. The auditable cryptographic protected communication system of claim 1 , wherein the enterprise data storage further comprises: computer instructions to form a plurality of cryptopipes as components of the multiplexed cryptopipe, wherein each cryptopipe communicates between a physical cryptographic module and the enterprise server.
3. The auditable cryptographic protected communication system of claim 1 , wherein the device communication from the industrial device comprises:
a. a cryout;
b. a callout;
c. an exception report;
d. an unsolicited message; and
e. combinations thereof.
4. The auditable cryptographic protected communication system of claim 1 , wherein the enterprise data storage further comprises computer instructions to manage the multiplexed cryptopipe in real time 24 hours a day, 7 days a week performing multiplexed and demultiplexed communications between the enterprise server and the virtual cryptographic module.
5. The auditable cryptographic protected communication system of claim 1 , wherein the physical cryptographic module further comprising computer instructions to manage the multiplexed cryptopipe in real time 24 hours a day, 7 days a week performing multiplexed and demultiplexed communications between the enterprise server and the virtual cryptographic module.
6. The auditable cryptographic protected communication system of claim 1 , further comprising computer instructions in the enterprise data storage to present the status and errors related to the multiplexed cryptopipe in real time 24 hours a day, 7 days a week tracking the multiplexed communication, demultiplexed communication, and combinations thereof; between the enterprise server and the physical cryptographic module as an executive dashboard viewable by a user.
7. The auditable cryptographic protected communication system of claim 1 , further comprising a security enclosure around each physical cryptographic module with connected industrial device creating a tamperproof environment.
8. The auditable cryptographic protected communication system of claim 7 , further comprising a tamper detection means connected to the security enclosure, wherein the tamper detection means comprises a sensor, a processor connected to the sensor and a tamper detection means data storage connected to the processor, wherein the tamper detection data storage comprises:
a. computer instructions that detect when the security enclosure is opened;
b. computer instructions that provide an audible alarm when computer instructions indicate the security enclosure is open;
c. computer instructions provide a visual alarm when computer instructions indicate the security enclosure is open; and
d. computer instructions activate a digital alarm and notification system that provides a message to a user via a network that computer instructions have detected that the security enclosure is open.
9. The auditable cryptographic protected communication system of claim 3 , wherein the cryout is an electronic messaging alarm, an activated automated phone call, an exception report, a text message, an email or combinations thereof.
10. The auditable cryptographic protected communication system of claim 1 , wherein the enterprise data storage comprises a library of cryptographic module protocols for out-of-band communication with the cryptographic manager tool.
11. The auditable cryptographic protected communication system of claim 1 , wherein the library of virtual cryptographic module settings includes a member of the group consisting of: a pipe local IP address, pipe time outs, a pipe remote IP address, a pipe buffer size, a pipe listen IP address, a local port, a remote port, a pipe protocol, a pipe auto-enable, and combinations thereof.
12. The auditable cryptographic protected communication system of claim 1 , wherein the library of physical cryptographic module settings includes a member of the group consisting of: a tag, a mac address, a lock status, a host port, a device port, closed connection time outs, inter-character time outs, a graphic user ID (GUID), a date created, a date last synched, a number of synchronization, a serial number, a status flag, a status string, a note, and combinations thereof.
13. The auditable cryptographic protected communication system of claim 12 , wherein the host port is an RS232 port, an RS485 port, an RS422 port, an Ethernet port, a TCPIP port, or a mesh radio network port.
14. The auditable cryptographic protected communication system of claim 12 , wherein the device port is an RS232 port, an RS485 port, an RS422 port, an Ethernet port, a TCPIP port, or a mesh radio network port.
15. The auditable cryptographic protected communication system of claim 1 , wherein the out-of-band encrypted log information with status and measurement data from the physical cryptographic module comprises performance information and information that indicates a breach of security simultaneously.
16. The auditable cryptographic protected communication system of claim 1 , wherein the enterprise server communicates with the plurality of industrial devices over a plurality of different networks simultaneously, consecutively, or combinations thereof or from a computing cloud, or combinations thereof.
17. The auditable cryptographic protected communication system of claim 16 , wherein the plurality of different networks simultaneously, consecutively or combinations thereof comprise: a radio/cellular network, a worldwide network, satellite network, a corporate network, and a local area control network.
18. The auditable cryptographic protected communication system of claim 1 , wherein the physical cryptographic module data storage further comprises computer instructions for receiving and encrypting in-band plain text logs from an industrial device forming received in-band encrypted logs.
19. The auditable cryptographic protected communication system of claim 18 , wherein the physical cryptographic module data storage further comprises computer instructions for transmitting the received in-band encrypted logs to the enterprise server.
20. The auditable cryptographic protected communication system of claim 19 , wherein the enterprise data storage further comprises computer instructions for copying the received in-band encrypted logs forming additional received in-band encrypted logs, and for passing one of the received in-band encrypted logs through the enterprise server forming tamper resistant received in-band encrypted logs, and for decrypting the other received in-band encrypted logs.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US13/710,606 US8935523B1 (en) | 2012-07-18 | 2012-12-11 | Cryptographic protected communication system with multiplexed cryptographic cryptopipe modules |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US13/552,396 US8364950B1 (en) | 2012-07-18 | 2012-07-18 | Auditable cryptographic protected communication system |
| US13/710,606 US8935523B1 (en) | 2012-07-18 | 2012-12-11 | Cryptographic protected communication system with multiplexed cryptographic cryptopipe modules |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US13/552,396 Continuation-In-Part US8364950B1 (en) | 2012-07-18 | 2012-07-18 | Auditable cryptographic protected communication system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| US8935523B1 true US8935523B1 (en) | 2015-01-13 |
Family
ID=52247892
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US13/710,606 Active 2033-01-31 US8935523B1 (en) | 2012-07-18 | 2012-12-11 | Cryptographic protected communication system with multiplexed cryptographic cryptopipe modules |
Country Status (1)
| Country | Link |
|---|---|
| US (1) | US8935523B1 (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170094551A1 (en) * | 2015-09-30 | 2017-03-30 | Intel IP Corporation | Interference mitigation by a scalable digital wireless modem |
| WO2017074887A1 (en) * | 2015-10-26 | 2017-05-04 | Secturion Systems, Inc. | Multi-independent level secure (mils) storage encryption |
| US9798899B1 (en) | 2013-03-29 | 2017-10-24 | Secturion Systems, Inc. | Replaceable or removable physical interface input/output module |
| US9858442B1 (en) | 2013-03-29 | 2018-01-02 | Secturion Systems, Inc. | Multi-tenancy architecture |
| US10013580B2 (en) | 2013-03-29 | 2018-07-03 | Secturion Systems, Inc. | Security device with programmable systolic-matrix cryptographic module and programmable input/output interface |
| US10114766B2 (en) | 2013-04-01 | 2018-10-30 | Secturion Systems, Inc. | Multi-level independent security architecture |
| US10251061B2 (en) | 2015-12-17 | 2019-04-02 | Tadhg Kelly | Cellular out of band management as a cloud service |
| US11016457B1 (en) | 2019-07-19 | 2021-05-25 | zdSCADA, LP | Supervisory control and data acquisition (SCADA) system for use with SCADA devices having disparate communication technologies |
| US11063914B1 (en) | 2013-03-29 | 2021-07-13 | Secturion Systems, Inc. | Secure end-to-end communication system |
| US11283774B2 (en) | 2015-09-17 | 2022-03-22 | Secturion Systems, Inc. | Cloud storage using encryption gateway with certificate authority identification |
| US11330003B1 (en) * | 2017-11-14 | 2022-05-10 | Amazon Technologies, Inc. | Enterprise messaging platform |
Citations (40)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPS5398861A (en) | 1977-02-09 | 1978-08-29 | Oki Electric Ind Co Ltd | Underwater information collecting system |
| US5638378A (en) | 1994-12-22 | 1997-06-10 | Motorola, Inc. | Method of operating a communication system |
| US5719771A (en) | 1993-02-24 | 1998-02-17 | Amsc Subsidiary Corporation | System for mapping occurrences of conditions in a transport route |
| US5745384A (en) | 1995-07-27 | 1998-04-28 | Lucent Technologies, Inc. | System and method for detecting a signal in a noisy environment |
| US5794009A (en) | 1996-05-09 | 1998-08-11 | Eagle Research Corp. | Multiple protocol management system |
| US5812394A (en) | 1995-07-21 | 1998-09-22 | Control Systems International | Object-oriented computer program, system, and method for developing control schemes for facilities |
| US6032154A (en) | 1996-05-09 | 2000-02-29 | Coleman; Robby A. | Data storage and management system for use with a multiple protocol management system in a data acquisition system |
| US6411987B1 (en) | 1998-08-21 | 2002-06-25 | National Instruments Corporation | Industrial automation system and method having efficient network communication |
| US20020107804A1 (en) * | 2000-10-20 | 2002-08-08 | Kravitz David William | System and method for managing trust between clients and servers |
| US20020172367A1 (en) * | 2001-05-16 | 2002-11-21 | Kasten Chase Applied Research Limited | System for secure electronic information transmission |
| US20030039361A1 (en) * | 2001-08-20 | 2003-02-27 | Hawkes Philip Michael | Method and apparatus for security in a data processing system |
| US6628992B2 (en) | 2001-04-05 | 2003-09-30 | Automation Solutions, Inc. | Remote terminal unit |
| US6658349B2 (en) | 2001-05-14 | 2003-12-02 | James Douglas Cline | Method and system for marine vessel tracking system |
| US6687573B2 (en) | 2000-03-16 | 2004-02-03 | Abb Technology Ag | Recloser and fuse coordination scheme |
| US6751562B1 (en) | 2000-11-28 | 2004-06-15 | Power Measurement Ltd. | Communications architecture for intelligent electronic devices |
| US20040217900A1 (en) | 2001-10-03 | 2004-11-04 | Martin Kenneth L. | System for tracting and monitoring vessels |
| US20040244265A1 (en) | 2002-08-09 | 2004-12-09 | Taiheiyo Cement Corporation | Luminescent lure and luminescent unit |
| US20050138120A1 (en) | 2002-02-22 | 2005-06-23 | Lars Gundersen | Communication method and system |
| US20050177749A1 (en) * | 2004-02-09 | 2005-08-11 | Shlomo Ovadia | Method and architecture for security key generation and distribution within optical switched networks |
| US20050185638A1 (en) * | 1999-04-08 | 2005-08-25 | Glenn Begis | Out-of-band signaling for network based computer session synchronization with crossbars |
| US6950851B2 (en) | 2001-04-05 | 2005-09-27 | Osburn Iii Douglas C | System and method for communication for a supervisory control and data acquisition (SCADA) system |
| US20060037041A1 (en) * | 2004-08-16 | 2006-02-16 | Amy Zhang | Method and apparatus for transporting broadcast video over a packet network including providing conditional access |
| US7073183B2 (en) | 2002-01-24 | 2006-07-04 | Nec Corporation | Locking mechanism of disk device |
| US7286914B2 (en) | 2002-06-18 | 2007-10-23 | Peggy Cerchione, legal representative | Collection and distribution of maritime data |
| US20070288743A1 (en) * | 2004-01-12 | 2007-12-13 | Cisco Technology, Inc. | Enabling stateless server-based pre-shared secrets |
| US20080130895A1 (en) * | 2006-10-25 | 2008-06-05 | Spyrus, Inc. | Method and System for Deploying Advanced Cryptographic Algorithms |
| US20090063858A1 (en) * | 2007-09-05 | 2009-03-05 | Radivision Ltd. | Systems, methods, and media for retransmitting data using the secure real-time transport protocol |
| US20090210696A1 (en) * | 2008-02-15 | 2009-08-20 | Connotech Experts-Conseils, Inc. | Method of bootstrapping an authenticated data session configuration |
| US7587481B1 (en) | 2001-04-05 | 2009-09-08 | Dj Inventions, Llc | Enterprise server for SCADA system with security interface |
| US7646298B1 (en) | 2005-02-03 | 2010-01-12 | Dj Inventions, Llc | Method for detecting changes in measurable conditions |
| US7673338B1 (en) | 2007-07-26 | 2010-03-02 | Dj Inventions, Llc | Intelligent electronic cryptographic module |
| US7673337B1 (en) | 2007-07-26 | 2010-03-02 | Dj Inventions, Llc | System for secure online configuration and communication |
| US7685436B2 (en) * | 2003-10-02 | 2010-03-23 | Itt Manufacturing Enterprises, Inc. | System and method for a secure I/O interface |
| US20100095110A1 (en) * | 2008-09-30 | 2010-04-15 | Finisar Corporation | Out of band encryption |
| US7747710B1 (en) | 2005-02-03 | 2010-06-29 | Dj Inventions, Llc | System for detecting changes in preselected measurable conditions |
| US20110022835A1 (en) * | 2009-07-27 | 2011-01-27 | Suridx, Inc. | Secure Communication Using Asymmetric Cryptography and Light-Weight Certificates |
| US20110213969A1 (en) * | 2010-02-26 | 2011-09-01 | General Instrument Corporation | Dynamic cryptographic subscriber-device identity binding for subscriber mobility |
| US20120278634A1 (en) * | 2011-04-28 | 2012-11-01 | Nokia Corporation | Method and apparatus for secure access to execution context |
| US8316232B1 (en) | 2012-07-18 | 2012-11-20 | Dj Inventions, Llc | Cryptographic manager tool system |
| US20140281486A1 (en) * | 2013-03-13 | 2014-09-18 | Alex Nayshtut | Community-based de-duplication for encrypted data |
-
2012
- 2012-12-11 US US13/710,606 patent/US8935523B1/en active Active
Patent Citations (47)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPS5398861A (en) | 1977-02-09 | 1978-08-29 | Oki Electric Ind Co Ltd | Underwater information collecting system |
| US5719771A (en) | 1993-02-24 | 1998-02-17 | Amsc Subsidiary Corporation | System for mapping occurrences of conditions in a transport route |
| US5638378A (en) | 1994-12-22 | 1997-06-10 | Motorola, Inc. | Method of operating a communication system |
| US5812394A (en) | 1995-07-21 | 1998-09-22 | Control Systems International | Object-oriented computer program, system, and method for developing control schemes for facilities |
| US5745384A (en) | 1995-07-27 | 1998-04-28 | Lucent Technologies, Inc. | System and method for detecting a signal in a noisy environment |
| US5794009A (en) | 1996-05-09 | 1998-08-11 | Eagle Research Corp. | Multiple protocol management system |
| US6032154A (en) | 1996-05-09 | 2000-02-29 | Coleman; Robby A. | Data storage and management system for use with a multiple protocol management system in a data acquisition system |
| US6411987B1 (en) | 1998-08-21 | 2002-06-25 | National Instruments Corporation | Industrial automation system and method having efficient network communication |
| US20050185638A1 (en) * | 1999-04-08 | 2005-08-25 | Glenn Begis | Out-of-band signaling for network based computer session synchronization with crossbars |
| US6687573B2 (en) | 2000-03-16 | 2004-02-03 | Abb Technology Ag | Recloser and fuse coordination scheme |
| US20020107804A1 (en) * | 2000-10-20 | 2002-08-08 | Kravitz David William | System and method for managing trust between clients and servers |
| US6751562B1 (en) | 2000-11-28 | 2004-06-15 | Power Measurement Ltd. | Communications architecture for intelligent electronic devices |
| US6950851B2 (en) | 2001-04-05 | 2005-09-27 | Osburn Iii Douglas C | System and method for communication for a supervisory control and data acquisition (SCADA) system |
| US6628992B2 (en) | 2001-04-05 | 2003-09-30 | Automation Solutions, Inc. | Remote terminal unit |
| US7587481B1 (en) | 2001-04-05 | 2009-09-08 | Dj Inventions, Llc | Enterprise server for SCADA system with security interface |
| US7225248B1 (en) | 2001-04-05 | 2007-05-29 | Dj Inventions, Llc | Integrated automation system with publisher interface |
| US6961753B1 (en) | 2001-04-05 | 2005-11-01 | Osburn Iii Douglas C | Enterprise server for communication for a supervisory control and data acquisition (SCADA) System |
| US6658349B2 (en) | 2001-05-14 | 2003-12-02 | James Douglas Cline | Method and system for marine vessel tracking system |
| US20020172367A1 (en) * | 2001-05-16 | 2002-11-21 | Kasten Chase Applied Research Limited | System for secure electronic information transmission |
| US7185362B2 (en) * | 2001-08-20 | 2007-02-27 | Qualcomm, Incorporated | Method and apparatus for security in a data processing system |
| US20030039361A1 (en) * | 2001-08-20 | 2003-02-27 | Hawkes Philip Michael | Method and apparatus for security in a data processing system |
| US20070116282A1 (en) * | 2001-08-20 | 2007-05-24 | Qualcomm, Inc. | Method and apparatus for security in a data processing system |
| US20040217900A1 (en) | 2001-10-03 | 2004-11-04 | Martin Kenneth L. | System for tracting and monitoring vessels |
| US7073183B2 (en) | 2002-01-24 | 2006-07-04 | Nec Corporation | Locking mechanism of disk device |
| US20050138120A1 (en) | 2002-02-22 | 2005-06-23 | Lars Gundersen | Communication method and system |
| US7286914B2 (en) | 2002-06-18 | 2007-10-23 | Peggy Cerchione, legal representative | Collection and distribution of maritime data |
| US20040244265A1 (en) | 2002-08-09 | 2004-12-09 | Taiheiyo Cement Corporation | Luminescent lure and luminescent unit |
| US7685436B2 (en) * | 2003-10-02 | 2010-03-23 | Itt Manufacturing Enterprises, Inc. | System and method for a secure I/O interface |
| US20070288743A1 (en) * | 2004-01-12 | 2007-12-13 | Cisco Technology, Inc. | Enabling stateless server-based pre-shared secrets |
| US20050177749A1 (en) * | 2004-02-09 | 2005-08-11 | Shlomo Ovadia | Method and architecture for security key generation and distribution within optical switched networks |
| US20060037041A1 (en) * | 2004-08-16 | 2006-02-16 | Amy Zhang | Method and apparatus for transporting broadcast video over a packet network including providing conditional access |
| US7646298B1 (en) | 2005-02-03 | 2010-01-12 | Dj Inventions, Llc | Method for detecting changes in measurable conditions |
| US7747710B1 (en) | 2005-02-03 | 2010-06-29 | Dj Inventions, Llc | System for detecting changes in preselected measurable conditions |
| US20080130895A1 (en) * | 2006-10-25 | 2008-06-05 | Spyrus, Inc. | Method and System for Deploying Advanced Cryptographic Algorithms |
| US8009829B2 (en) * | 2006-10-25 | 2011-08-30 | Spyrus, Inc. | Method and system for deploying advanced cryptographic algorithms |
| US7673338B1 (en) | 2007-07-26 | 2010-03-02 | Dj Inventions, Llc | Intelligent electronic cryptographic module |
| US7673337B1 (en) | 2007-07-26 | 2010-03-02 | Dj Inventions, Llc | System for secure online configuration and communication |
| US20090063858A1 (en) * | 2007-09-05 | 2009-03-05 | Radivision Ltd. | Systems, methods, and media for retransmitting data using the secure real-time transport protocol |
| US8464053B2 (en) * | 2007-09-05 | 2013-06-11 | Radvision Ltd | Systems, methods, and media for retransmitting data using the secure real-time transport protocol |
| US20090210696A1 (en) * | 2008-02-15 | 2009-08-20 | Connotech Experts-Conseils, Inc. | Method of bootstrapping an authenticated data session configuration |
| US8281126B2 (en) * | 2008-09-30 | 2012-10-02 | Finisar Corporation | Out of band encryption |
| US20100095110A1 (en) * | 2008-09-30 | 2010-04-15 | Finisar Corporation | Out of band encryption |
| US20110022835A1 (en) * | 2009-07-27 | 2011-01-27 | Suridx, Inc. | Secure Communication Using Asymmetric Cryptography and Light-Weight Certificates |
| US20110213969A1 (en) * | 2010-02-26 | 2011-09-01 | General Instrument Corporation | Dynamic cryptographic subscriber-device identity binding for subscriber mobility |
| US20120278634A1 (en) * | 2011-04-28 | 2012-11-01 | Nokia Corporation | Method and apparatus for secure access to execution context |
| US8316232B1 (en) | 2012-07-18 | 2012-11-20 | Dj Inventions, Llc | Cryptographic manager tool system |
| US20140281486A1 (en) * | 2013-03-13 | 2014-09-18 | Alex Nayshtut | Community-based de-duplication for encrypted data |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10902155B2 (en) | 2013-03-29 | 2021-01-26 | Secturion Systems, Inc. | Multi-tenancy architecture |
| US11921906B2 (en) | 2013-03-29 | 2024-03-05 | Secturion Systems, Inc. | Security device with programmable systolic-matrix cryptographic module and programmable input/output interface |
| US9798899B1 (en) | 2013-03-29 | 2017-10-24 | Secturion Systems, Inc. | Replaceable or removable physical interface input/output module |
| US11783089B2 (en) | 2013-03-29 | 2023-10-10 | Secturion Systems, Inc. | Multi-tenancy architecture |
| US9858442B1 (en) | 2013-03-29 | 2018-01-02 | Secturion Systems, Inc. | Multi-tenancy architecture |
| US10013580B2 (en) | 2013-03-29 | 2018-07-03 | Secturion Systems, Inc. | Security device with programmable systolic-matrix cryptographic module and programmable input/output interface |
| US11288402B2 (en) | 2013-03-29 | 2022-03-29 | Secturion Systems, Inc. | Security device with programmable systolic-matrix cryptographic module and programmable input/output interface |
| US11063914B1 (en) | 2013-03-29 | 2021-07-13 | Secturion Systems, Inc. | Secure end-to-end communication system |
| US11429540B2 (en) | 2013-04-01 | 2022-08-30 | Secturion Systems, Inc. | Multi-level independent security architecture |
| US10114766B2 (en) | 2013-04-01 | 2018-10-30 | Secturion Systems, Inc. | Multi-level independent security architecture |
| US11283774B2 (en) | 2015-09-17 | 2022-03-22 | Secturion Systems, Inc. | Cloud storage using encryption gateway with certificate authority identification |
| US11792169B2 (en) | 2015-09-17 | 2023-10-17 | Secturion Systems, Inc. | Cloud storage using encryption gateway with certificate authority identification |
| US20170094551A1 (en) * | 2015-09-30 | 2017-03-30 | Intel IP Corporation | Interference mitigation by a scalable digital wireless modem |
| US9843959B2 (en) * | 2015-09-30 | 2017-12-12 | Intel IP Corporation | Interference mitigation by a scalable digital wireless modem |
| US10708236B2 (en) | 2015-10-26 | 2020-07-07 | Secturion Systems, Inc. | Multi-independent level secure (MILS) storage encryption |
| US11750571B2 (en) | 2015-10-26 | 2023-09-05 | Secturion Systems, Inc. | Multi-independent level secure (MILS) storage encryption |
| WO2017074887A1 (en) * | 2015-10-26 | 2017-05-04 | Secturion Systems, Inc. | Multi-independent level secure (mils) storage encryption |
| US10251061B2 (en) | 2015-12-17 | 2019-04-02 | Tadhg Kelly | Cellular out of band management as a cloud service |
| US11330003B1 (en) * | 2017-11-14 | 2022-05-10 | Amazon Technologies, Inc. | Enterprise messaging platform |
| US11016457B1 (en) | 2019-07-19 | 2021-05-25 | zdSCADA, LP | Supervisory control and data acquisition (SCADA) system for use with SCADA devices having disparate communication technologies |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8935523B1 (en) | Cryptographic protected communication system with multiplexed cryptographic cryptopipe modules | |
| US8694770B1 (en) | Auditable cryptographic protected cloud computing communication system | |
| US8898481B1 (en) | Auditable cryptographic protected cloud computing communications system | |
| US10824736B2 (en) | Industrial security agent platform | |
| EP3363150B1 (en) | System for providing end-to-end protection against network-based attacks | |
| Drias et al. | Analysis of cyber security for industrial control systems | |
| JP7383368B2 (en) | Methods, systems for securely transferring communications from a process plant to another system | |
| EP1906622B1 (en) | Alarm/event encryption in an industrial environment | |
| US7673337B1 (en) | System for secure online configuration and communication | |
| EP3691216A1 (en) | Key offsite storage-based data encryption storage system and method | |
| US7673338B1 (en) | Intelligent electronic cryptographic module | |
| EP1556749A1 (en) | Master dongle for a secured data communications network | |
| US8316232B1 (en) | Cryptographic manager tool system | |
| Yang et al. | Cyber security issues of critical components for industrial control system | |
| US8364950B1 (en) | Auditable cryptographic protected communication system | |
| US20160112384A1 (en) | Secure remote desktop | |
| Alsiherov et al. | Research trend on secure SCADA network technology and methods | |
| EP3001639A1 (en) | Industrial security agent platform | |
| Purchina et al. | Securing an Information System via the SSL Protocol. | |
| Robles et al. | Security encryption schemes for internet SCADA: comparison of the solutions | |
| Sreenivas et al. | Enhancing the security for information with virtual data centers in cloud | |
| Salpekar | Protecting smart grid and advanced metering infrastructure | |
| Mashima et al. | Cybersecurity for Modern Smart Grid Against Emerging Threats | |
| Onshus et al. | Ict security and independence | |
| CN103701659A (en) | Monitoring information transmission method and system for nuclear power plant |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| AS | Assignment |
Owner name: DJ INVENTIONS, LLC, TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:OSBURN, DOUGLAS C., III;REEL/FRAME:029443/0390 Effective date: 20121204 |
|
| STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
| MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551) Year of fee payment: 4 |
|
| AS | Assignment |
Owner name: DJ OSBURN MANAGEMENT, LLC, TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:DJ INVENTIONS, LLC;REEL/FRAME:054455/0679 Effective date: 20201120 |
|
| MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2552); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY Year of fee payment: 8 |